AI agents redraw vendor risk map

Agentic AI is moving from pilot projects into mainstream corporate workflows, forcing boards and security teams to treat these systems less like software features and more like outside operators with broad access to data, tools and decisions. What changes the risk profile is not only the model itself, but the autonomy layered around it: agents can plan tasks, call other applications, handle credentials and act across systems with limited human intervention. That combination is pushing cyber, legal and compliance teams to rethink third-party risk in far more operational terms.

The concern is gaining urgency as companies race to deploy AI agents for coding, customer service, procurement, investigations and finance operations. Reuters reported on March 23 that Alibaba had launched an agentic platform aimed at small and medium-sized businesses, underscoring how quickly autonomous business software is being commercialised. In parallel, financial institutions and enterprise software vendors are framing agentic workflows as a major productivity shift, with cross-border data handling, outsourced decision support and persistent machine access becoming part of daily operations.

For security professionals, the central issue is straightforward: an AI agent with access to email, internal documents, payment systems, developer tools or identity infrastructure can behave like a privileged contractor, except at machine speed and scale. OWASP’s 2026 work on agentic applications identifies risks including agent behaviour hijacking, tool misuse, identity and privilege abuse, unsafe autonomy, memory poisoning and weak oversight of multi-agent systems. Those are not abstract failures. They describe pathways through which an apparently helpful assistant can become a new route for fraud, data leakage, unauthorised transactions or operational disruption.

That is why the “third party” comparison is resonating in boardrooms. Traditional vendor risk programmes examine what an outside supplier can see, what it can change, what systems it connects to and how its actions are logged, challenged and terminated. Agentic AI now raises the same questions. A company may build an agent in-house, but it still depends on external model providers, cloud infrastructure, tool connectors and underlying data pipelines. Even where the provider is contractually familiar, the operational model is different because the system can make sequential choices rather than simply return a static output.

Policy frameworks are beginning to catch up. NIST’s AI Risk Management Framework and its generative AI profile emphasise governance, mapping, measurement and ongoing management of harms throughout the AI lifecycle rather than one-off approval at launch. A draft NIST cyber profile for AI published in December 2025 goes further by focusing on securing AI system components, defending against AI-enabled attacks and using AI securely in operations. The message is that AI risk cannot be parked with procurement or innovation teams alone; it must sit inside continuous control systems.

British cyber officials have made a similar point. The National Cyber Security Centre has warned that AI will increase the volume and impact of cyber attacks, while stressing that security must remain a core requirement through the full lifecycle of AI systems. In late 2025, the NCSC also warned that misunderstanding a new class of generative AI vulnerability could lead to large-scale breaches. Its latest work on frontier AI and cyber defence argues that model capability is improving quickly even where end-to-end attack execution remains limited. For companies adopting agents, that means the sensible assumption is not that the technology is harmless until proven dangerous, but that weakly governed autonomy will create exploitable openings.

The business case for deployment remains strong, which is why the risk debate is not slowing adoption. Agentic systems can cut routine workloads, widen investigative capacity and help teams monitor transactions or compliance tasks faster than manual processes. That upside is especially attractive in finance, where institutions face pressure to improve fraud controls, customer response times and due diligence without sharply increasing headcount. Yet the stronger the economic case, the greater the pressure to grant agents more permissions, broader context windows and deeper system integration. That is the point at which a productivity tool begins to resemble a lightly supervised vendor with administrator-level reach.